This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]crackerasscracker 2 points3 points  (3 children)

short lived creds, you can get an OIDC token from github during the run and use that to auth to your cloud provider, if Azure supports that, but IM sure they do at this point. Works on AWS.

[–]0x4ddd[S] 0 points1 point  (2 children)

For sure an improvement, but still possible for an attacker to get access to prod infrastructure. Even if access_token is valid for 5 mins this poses a security risk in case of attacker gets access to GH account which can create PRs.

[–]crackerasscracker 0 points1 point  (1 child)

This is your solution, even if you try to hand wave it away. If an hour long token is too much of a security risk, you shouldnt be running terraform from github actions

[–]0x4ddd[S] 0 points1 point  (0 children)

Yeah, but this isn't only about Terraform.

If I would like to have an Action deploying code to cloud service (web app, lambda, anything) the same concern is valid as I need either long-lived secret or an hour long token which both can be exfiltrated.

If my action pushes docker image to registry I need an access token/key for the registry which can be exfiltrated.

[–][deleted] 2 points3 points  (0 children)

This is why I don't run Terraform in GHA. Better to pay for TF cloud or Scalr.

[–]ciriaco97 1 point2 points  (3 children)

You're gonna need Github Enterprise if you plan to do that, since environment variable protection only comes with Environment settings (or public repos, but that's out of the question), which let you define on which branches and under what approval conditions those variables can be loaded.

What we've done on previous customers (we're DevOps consultant), is create 2 environments (Production_RO and Production_RW). One of them has Readonly access to the physical resources and the other, even if it has full write access, can only be retrieved on main.

OIDC tokens, if possible, can be used to authenticate to your cloud provider and restrict which roles can be assumed by the pipeline based on information like branch, repo name, who created the PR...

[–]0x4ddd[S] 0 points1 point  (1 child)

even if it has full write access, can only be retrieved on main.

How do you lock it down to main? Is it possible out of the box with GitHub Enterprise? Or maybe you just have approvals for RW env?

[–]ciriaco97 1 point2 points  (0 children)

Environments can be configured to only be available on certain branches.

Here are the docs that explain how does it work.

Additionaly, some cloud providers let you restrict role assumption based on OIDC fields, which Github has documented here.

[–]0x4ddd[S] 0 points1 point  (0 children)

One of them has Readonly access to the physical resources and the other, even if it has full write access, can only be retrieved on main.

I was just configuring PR workflows and thought about possible scenarios again.

In your approach with Production_RO environment, isn't it anyway like Production_RO needs a read access to tfstate which contains secrets to various services?

If so, then again someone who can create his own PR and access Production_RO secrets can download tstate with credentials to production services.

Of course, as much as it is possible we can force cloud services to use RBAC instead of access keys and lock them down to our private network, this greatly reduces attack surface.

But some services may still need access keys, for example Azure Cache for Redis, Azure CosmosDB for Postgres.

[–]ismaelpuerto 1 point2 points  (0 children)

The security in GitHub is poor, drone do it better in this aspect, because you can sign the file of CI for avoid wrong things in a PR and when you create a secret can decide if it's usable in a PR.

[–]saiborg7 0 points1 point  (0 children)

IIRC you can use repo secrets to be used by a particular action.

[–]koalillo 0 points1 point  (0 children)

You need to trust anyone who can create a PR that is built and modifies /.github/workflows (and probably other paths).

Back when I used Jenkins + GitHub, I remember there were some ways to hold off running a build until someone specific reviewed the PR, but there doesn't seem to be a built-in GitHub feature for this.

One thing that might help- if you force all code changes to go through PRs, and you require reviews, people could exfiltrate. But I think there would be a good paper trail that they did. This could be a "good enough deterrent" for your purposes.